A quick reference page for Volatility work I’ve done:
- Code – https://github.com/superponible/volatility-plugins
- Prefetch Parser (prefetch.py) – Extract prefect data from a memory dump, mainly first and last execution time
- Uninstall Info (uninstallinfo.py) – Dumps the DisplayName values in HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Uninstall in a memory dump to view installed software and patches
- Chrome History (chromehistory.py) – 2014 Contest – http://blog.superponible.com/2014/08/31/volatility-plugin-chrome-history/
- Firefox History (firefoxhistory.py) – 2014 Contest – http://blog.superponible.com/2014/08/31/volatility-plugin-firefox-history/
- Java IDX Parser (idxparser.py) – 2014 Contest – http://blog.superponible.com/2014/08/31/volatility-plugin-java-idx-parser/
- SQLite Helper Module (sqlite_help.py) – 2014 Contest – http://blog.superponible.com/2014/08/31/volatility-plugin-sqlite-helper/
- Office Trust Records (trustrecords.py) – 2014 Contest – http://blog.superponible.com/2014/08/30/volatility-plugin-office-trust-records/
- SSDeep plugins (ssdeepscan,py, malfinddeep.py, apihooksdeep.py) – 2014 Contest – http://blog.superponible.com/2014/08/30/volatility-plugin-ssdeep-for-malfind-and-apihooks/
Hi,
I’m having some difficulty running your prefetch plugin. I’m using the following command:
vol.py –plugins=[PLUGIN_FOLDER] prefetch -f [FILE] [PROFILE]
The error I get is:
ERROR : __main__ : You must specify something to do (try -h)
Appreciate any help you can provide.
Cheers,
Andrew
Sorry, I didn’t notice this comment till just now. Hopefully, you got it working. If not, the plugin name is “prefetchparser” not just “prefetch”. If you change it in your command, it should work.